Ranger Usersync
Reference information on Ranger usersync, when configuring Ranger AD integration.
A vital part of the Ranger architecture is the ability to get users and groups from the corporate AD to use in policy definitions.
Ranger usersync runs as separate daemon:
It can also be refreshed using the Actions drop-down.
Ranger Usersync Configuration
Usersync has a lot of moving parts and can have very different outcomes. Two main sets of properties govern the way users and groups are synchronized.
Without Enable Group Search First, the primary access pattern is user-based, and groups are only searched/added based on the users it finds first. In contrast, with Enable Group Search First enabled, the primary access pattern is group-based (in turn based on the group search filter) and users are only searched/added based on the group memberships it finds first.
Value of ‘User Search Base’:
OU=CorpUsers,DC=field,DC=hortonworks,DC=com
Value of ‘User Search Filter’:
(|(memberOf=CN=Hdp_admins,OU=Company,OU=User Accounts,OU=CorpUsers,DC=field,DC=hortonworks,DC=com)(memberOf=CN=Hdp_users,OU=Company,OU=User Accounts,OU=CorpUsers,DC=field,DC=hortonworks,DC=com))
Value of ‘User Group Name Attribute’:
sAMAccountName
Value of ‘Group Search Base’:
(|(CN=Hdp_users)(CN=Hdp_admins))
Be aware that the filters on the group level limit the returns on the user search, and vice versa. In the graph above if the left oval represents the results of all users queried by the user configuration settings, and the right oval represents all users queried by the group configuration settings, the eventual set of users that make it to Ranger usersync is the overlap between the two.
Therefore it is recommended that you set the filters on both ends exactly the same to potentially have a 100% overlap in the ovals.
In the example configuration above, the scope of the usersync would be all members of the "Hdp_admins" and "Hdp_users" groups.
The best of both worlds is to have both Enable Group Search First and Enable User Search enabled.
The logging of a run of the usersync daemon can be retrieved from /var/log/ranger/usersync/usersync.log on the server hosting Ranger Admin. A successful run might output logging like below:
From that log it clearly shows that the groups are synced first and that all users belonging to those groups are then retrieved according to its own settings, after which the user parts are enriched/overwritten by the returns from the user queries.
Beware:
If you don’t enable Enable User Search, that enrichment does NOT happen. Logging for such a run looks like this:
The result in the Ranger UI are other user names (LongUserName) derived from "member" group attributes full DN. You get the long name "James Kirk’ in the Ranger userlist in stead of "j.kirk". Ranger does not treat those as one and the same user. Policies that are defined for user "k.reshi" will not map to the user "Kvothe Reshi", and vice versa. To prevent any confusion it is probably best to delete the long username versions from the Rangers user list.